The SANS 20 Critical Security Controls are widely viewed as the “Gold Standard” framework for building and evaluating an organization’s security program. In this article, we will look at several of these controls and how Red Canary helps our clients improve their security posture in meaningful ways. (Full disclosure: I am a SANS Certified Instructor, but do not have any direct connection to the 20 Critical Controls program.)
The SANS 20 Critical Security Controls themselves cover a wide swath of any security program, and no single solution can provide complete coverage. However, Red Canary strongly supports several of them. I’ve included a list of these below (in order, as documented in version 5 of the framework), as well as some background on how Red Canary supports each control.
Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
Red Canary sees a wealth of detail on each piece of software that runs as a byproduct of observing each execution event within our clients’ environments.. This includes not only the executable name, but its digital signature status, hash, version number, and more. We are also able to flag binaries based on frequency of occurrence, invaluable when attempting to find outliers within an organization of any size. By using Carbon Black as our collector, we also acquire copies of each unique binary that executes, facilitating later examination if needed. If our clients choose to leverage Bit9’s application whitelisting functionality, they can prevent the execution of unknown binaries altogether.
Critical Security Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
Specifically with regard to CSC 3-8, Red Canary can identify critical system files that have been changed from their original content. This aids our clients in quickly determining when a system-level binary has been altered or replaced, which is often the result of malicious activity. Moreover, Red Canary provides a platform upon which customers can easily automate identification of system configuration changes, introduction of new software, and changes to sensitive files and registry keys.
Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
Red Canary’s primary objective is identification of realized threats, which implies the presence of some class of vulnerability. However, our platform also supports CSC 4-4, the use of vulnerability intelligence services, via the cyber threat intelligence sources integrated into both our threat detection engine and Carbon Black. Through integration with the National Vulnerability Database (NVD) customers can generate reports or alerts whenever a vulnerable application is observed within their environment.
Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.
We rely on events associated with binary execution, so it’s no surprise that Red Canary supports a number of the sub-controls in this section, namely CSCs 5-1, 5-2, 5-8, 5-10, and 5-11. Part of what makes Red Canary so effective is that we run the sensor on all endpoints within your environment – providing unparalleled visibility into the binaries that execute. This continuous, near-real-time feed of endpoint activity into our threat detection engine results in potentially threatening events that our analysts review, then quickly and decisively characterize as benign or malicious.
As we all know, malware changes rapidly and easily thwarts most signature-based detection mechanisms. Red Canary’s threat detection engine includes behavioral, signature, reputation, and a variety of binary analysis components. Our platform keeps local copies of each binary that executes, and retrieving malware samples for deeper examination is a simple task.
For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.
Specifically with regard to CSC 9-1, Red Canary’s view on executed binaries allows us to determine where a particular user account might have more access than necessary. As an example, if we observe that a normal user account installed an unauthorized piece of software, we can notify the client to remediate and hopefully to enforce more appropriate controls on the account. If we identify that many employees have installed unauthorized software, the client would then have a clearer understanding that their staff needs better training on authorized and unauthorized activities. This vantage point provides a unique validation of policy and training.
Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.
The Carbon Black sensor Red Canary leverages is the “security camera for the endpoint,” and its primary purpose directly supports this CSC. Since all of our customers have full access to their dedicated collectors, they can access the evidence to support incident response activities. Additionally, since Red Canary continuously examines the same evidence to identify realized threats, our process proactively identifies suspicious conditions covered by CSC 14-9. These include service creation, lateral movement using native tools and functionality, and ephemeral binary execution.
Actively manage the life-cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them.
Red Canary’s threat detection engine continually monitors endpoints to detect creation, modification or removal of users or groups under suspicious circumstances. In addition, models of account activity are fed into our analytics engine to search for anomalous login activity.
Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.
Red Canary drastically shortens the time between suspicious event occurrence and completed remediation. We’ve designed our entire process to improve the speed and precision of our clients’ own incident response processes through clear and decisive threat detection notifications coupled with direct access to Carbon Black and its unparalleled investigation, isolation and remediation capabilities.
Red Canary provides timely, detailed, and actionable detection through a powerful platform that supports eight of the SANS 20 Critical Security Controls. Contact us today to get started in minutes and see how you can benefit from advanced endpoint threat detection at scale.